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Measurement-device-independent quantum key distribution (MDI-QKD) can provide enhanced security, as 
compared to traditional QKD, and it constitutes an important framework for a quantum network with an un¬ 
trusted network server. Still, a key assumption in MDI-QKD is that the sources are trusted. We propose here 
a MDI quantum network with a single untrusted source. We have derived a complete proof of the uncondi¬ 
tional security of MDI-QKD with an untrusted source. Using simulations, we have considered various real-life 
imperfections in its implementation, and the simulation results show that MDI-QKD with an untrusted source 
provides a key generation rate that is close to the rate of initial MDI-QKD in the asymptotic setting. Our work 
proves the feasibility of the realization of a quantum network. The network users need only low-cost modula¬ 
tion devices, and they can share both an expensive detector and a complicated laser provided by an untrusted 
network server. 


I. INTRODUCTION 


The global quantum network is believed to be the next- 
generation information-processing platform for speedup com¬ 
putation and a secure means of communication. Among the 
applications of the quantum network, quantum key distribu¬ 
tion (QKD) is one of the first technology in quantum infor¬ 
mation science to produce practical applications [1-3]. Com¬ 
mercial QKD systems have appeared on the market [4, 5], and 
QKD networks have been developed [6-8]. Unfortunately, 
due to real-life imperfections, a crucial problem in current 
QKD implementations is the discrepancy between its theory 
and practice [3]. An eavesdropper (Eve) could exploit such 
imperfections and hack a QKD system. Indeed, the recent 
demonstrations of various attacks [9-16] on practical QKD 
systems highlight that the theory-practice discrepancy is a ma¬ 
jor problem for practical QKD. 

Measurement-device-independent quantum key distribu¬ 
tion (MDI-QKD) [17] removes all detector side-channel at¬ 
tacks. This kind of attack is arguably the most important se¬ 
curity loophole in conventional QKD implementations [12- 
lb]. The assumption in MDI-QKD is that the state prepa¬ 
ration can be trusted. Unlike security patches [18-20] and 
device-independent QKD [21], MDI-QKD can remove all de¬ 
tector loopholes and is also practical for current technology. 
Hence, MDI-QKD has attracted a lot of scientific attention 
in both theoretical [22-29] and experimental [30-35] studies. 
See [36] for a review of its recent development. 

An important feature of MDI-QKD is that it can be used 
to build a fiber-based MDI quantum network with a fully un¬ 
trusted network server (see Fig. 1(a)). This framework can re¬ 
alize various quantum information-processing protocols, such 
as quantum repeater [37], quantum fingerprinting [38, 39], 
blind quantum computing [40], and multiparty quantum com¬ 
munication [29]. This scheme is advantageous in compar¬ 
ison to the recent demonstrations of quantum access net¬ 
works [6-8], since it completely removes the need for the 
trust of the central relay node. Nevertheless, the scheme faces 
several crucial challenges in practice: (i) A key assumption 
is that the users’ frequency-locked lasers are trusted. How- 
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FIG. 1: (Color online) (a) A fiber-based quantum network with N 
trusted lasers, (b) A quantum network with a single untrusted laser 
source. 


ever, since frequency-locked lasers 1 used in MDI-QKD ex¬ 
periments [30, 33, 35] are complicated apparatuses, there is a 
great risk involved in each user’s trust that a commercial com¬ 
pact laser does not have any security loopholes, (ii) It is well 
known that the major challenge in implementation of Fig. 1(a) 
is the performance of high-fidelity interference between pho¬ 
tons from spatially separated lasers [17, 30]. (iii) In fiber 
communication, it is necessary to introduce additional time- 
synchronization system and to include complex feedback con¬ 
trols to compensate for the polarization rotations (e.g., an im¬ 
plementation in [34]). All these challenges render Fig. 1(a) 
difficult for practical implementations and applications. 

Recently, to mitigate the experimental complexity of the in¬ 
terference from two remote lasers, several groups have pro¬ 
posed a new protocol against untrusted detectors [41^14]. A 


1 See, for instance, http://dev.wavelengthreferences.com/clarity-precision- 
frequency-standard. 




2 


slight drawback is that a rigorous security analysis for this 
protocol is challenging, which makes the protocol vulnera¬ 
ble to attacks if certain assumptions cannot be satisfied [45]. 
Another elegant proposal to resolve the limitations in the im¬ 
plementation of MDI-QKD is the so-called plug&play MDI- 
QKD [46]. Despite the importance of this proposal, a cru¬ 
cial part to guarantee the security - source monitoring - is ig¬ 
nored, which makes plug&play MDI-QKD vulnerable to vari¬ 
ous source attacks [9-1 1]. Also, a complete security proof for 
plug&play MDI-QKD and the analysis of practical imperfec¬ 
tions are missing. 

In this paper, we overcome the challenges of Fig. 1(a) by 
proposing a MDI quantum network with a single untrusted 
source in Fig. 1(b). The untrusted server transmits strong 
laser pulses to users, ah of whom monitor the pulses, encode 
their bit information and send the attenuated pulses back to 
the server for measurement. We focus on the application of 
such a network to QKD. Crucially, we show that, even with 
an untrusted source, the communication security can be ana¬ 
lyzed quantitatively and rigorously. Motivated by the security 
analysis for conventional plug&play QKD [47, 48], we show 
what measures by the users are necessary to ensure the se¬ 
curity, and to rigorously derive a lower bound of the secure 
key generation rate. Moreover, we propose a novel decoy 
state method for MDI-QKD with an untrusted source. Fur¬ 
thermore, using simulations, we study how different real-life 
imperfections affect the security, and our simulation results 
show that MDI-QKD with an untrusted source provides a key 
generation rate that is close to the rate with trusted sources 
in the asymptotic limit. These results provide a complete se¬ 
curity analysis for plug&play MDI-QKD, and more impor¬ 
tantly, make plug&play MDI-QKD unconditionally secure, 
even with practical imperfections. 

Our proposed MDI quantum network has the following 
advantages: (i) It completely removes the trust of the laser 
source, (ii) It can realize the MDI quantum network with a 
single laser, which enables a high-fidelity interference among 
photons from different users, (iii) Due to the bi-directional 
structure, the system can automatically compensate for any 
birefringence effects and polarization-dependent losses in op¬ 
tical fibers, a feature that makes the system highly stable, (iv) 
The users can utilize the strong pulses from the server to easily 
synchronize and share time references, (v) There is a prospect 
of leveraging costly infrastructure for the quantum network, 
since the single laser source can be broadband, dynamically 
reconfigured and shared by several users via wavelength divi¬ 
sion multiplexing (WDM) [49] . 

The additional assumption, as compared to the initial MDI 
quantum network, is the trust of the monitoring devices. Note 
that the users need to monitor only classical laser pulses in¬ 
stead of single-photon signals. Such monitoring can be easily 
realized by a standard optical filter and a classical intensity 
detector, and it is a necessary part of both BB84 and the ini¬ 
tial MDI-QKD in order to prevent the so-called Trojan-horse 
attack [9]. It is important that proof-of-concept experiments 
have been reported towards implementation of this monitor¬ 
ing [50-52] and that ID Quantique’s commercial system (i.e., 
Clavis2) has already included a preliminary version of the 


monitor [4]. Recently, the security of the intensity detector 
has been studied comprehensively in [52]. Our work may lead 
to future research on an efficient implementation of the single¬ 
mode filtering and monitoring. This monitoring is also a key 
ingredient in other quantum communication protocols such as 
quantum illumination [53]. 

The rest of this paper is organized as follows. We intro¬ 
duce the protocol of MDI-QKD with an untrusted source in 
Sec. II. In Sec. Ill, we present the security analysis of our pro¬ 
tocol by introducing an equivalently virtual model. In Sec. IV, 
we show the simulation results about the key rate comparison 
between MDI-QKD with an untrusted source and MDI-QKD 
with trusted sources, and study how device imperfections af¬ 
fect the protocol. Finally, we conclude this paper in Sec. V. 


II. MDI-QKD WITH AN UNTRUSTED SOURCE 


To illustrate our proposal, in Fig. 2, we present a specific 
design for QKD with two users. With simple modifications, 
our scheme can be applied to multiple users [29] . We consider 
a time-bin encoding [30], and the protocol runs as follows. 

a. Preliminaries Alice and Bob use a pre-shared key for au¬ 

thentication, and they negotiate parameters needed dur¬ 
ing the protocol run. Alice and Bob perform a calibra¬ 
tion measurement of their devices. 

b. Preparation and distribution Charlie generates a strong 

laser pulse, which creates two time-bin pulses (early 
pulse and late pulse) after an interferometer. Charlie 
uses a beam splitter (BS) to split the two time-bin pulses 
into two parts and send them to Alice and Bob via two 
quantum channels (e.g., optical fibers). 

c. Monitoring and Encoding phase Once the pulses arrive 

at Alice (Bob), they pass through an optical filter, a 
monitoring unit, which consists of a BS and an inten¬ 
sity detector (ID). The pulses are phase-randomized by 
a phase modulator, PM1 (PM3), and then encoded by 
an Encoder that consists of an intensity modulator (IM) 
and a PM. Alice and Bob also use the IM to generate 
signal/decoy states. Finally, the pulses are reflected by 
a Faraday mirror (FM) and attenuated by a variable op¬ 
tical attenuator (VOA) to single-photon level. 

c. Measurement phase The time-bin-encoded weak coher¬ 

ent pulses from Alice and Bob travel back through the 
two channels, interfere at the BS of Charlie and finally 
they are detected by two single photon detectors. A 
coincident event projects the photons into the so-called 
singlet state IV’ - ) = (|01) — 110))/x/2 [30]. 

d. Basis and signal/decoy reconciliation Alice and Bob an¬ 

nounce their encoding bases and signal/decoy inten¬ 
sity levels over the authenticated public channel and 
keep the samples measured in the same bases for sig¬ 
nal/decoy states. 
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FIG. 2: (Color online) Schematic diagram of a time-bin-encoding MDI-QKD with an untrusted laser source. The strong time-bin laser pulses 
are generated by a pulsed laser and an interferometer in Charlie and they are split into two groups by a beam splitter (BS). Once these pulses 
arrived at Alice (Bob), they pass through an optical filter (F), a monitoring unit with a BS and a classical intensity detector (ID), a phase 
modulator (PM1 and PM3) for phase randomization and a variable optical attenuator (VOA). Then, the pulses are encoded by an Encoder that 
consists of an intensity modulator (IM) and a PM, and they are reflected by a Faraday mirror (FM). Finally, the pulses from Alice and Bob 
interfere at Charlie’s BS and detected by two single photon detectors (DO and Dl). The coincident counts are recorded by a time interval 
analyzer (TIA). 


e. Parameter estimation Alice and Bob perform the secu¬ 
rity analysis and the decoy state analysis based on their 
monitoring results and Charlie’s public announcements. 

g. Error reconciliation and privacy amplification Alice 

and Bob perform the error correction. To ensure 
that they share a pair of identical keys, they perform 
an error-verification step using two-universal hash 
functions. Finally, Alice and Bob apply the privacy 
amplification to produce the final secret key. 

Since the source is entirely unknown and untrusted, we use 
three measures to enhance the security of our protocol [9, 47]. 

1. We place a narrow bandpass filter (together with a sin¬ 
gle mode fiber), i.e., F in Fig. 2, to allow only a single 
mode in spectral and spatial domains to enter into the 
Encoder. Note that a wavelength-bandpass filter has al¬ 
ready been implemented in commercial QKD systems 
(i.e., Clavis2) [4]. Moreover, the analysis in [54] shows 
that with standard optical devices, the single mode as¬ 
sumption can be guaranteed with a high rate of accu¬ 
racy. 

2. We monitor the pulse energy and the arrival time to ac¬ 
quire certain information about the photon number dis¬ 
tribution (PND) and the timing mode. Such monitor¬ 
ing can also defend the Trojan house attack [9] and it 
has been included in commercial QKD systems [4] . By 
randomly sampling the pulses to test the photon num¬ 
bers, we can estimate some bounds on the output PND. 
In Fig. 2, this estimation is accomplished by Alice’s and 
Bob’s BS and ID. In practice, besides the ID, a spectrum 
analyzer can also be introduced to monitor the spectral 
information. 


3. Alice and Bob use PM1 and PM3 to apply the active 
phase randomization [50]. The phase randomization is 
a general assumption made in most security proofs for 
laser-based QKD [55-57] and the randomization can 
disentangle the input pulse into a classical mixture of 
Fock states. 

All the above three measures lead us to analyze the secu¬ 
rity of MDI-QKD with an untrusted source quantitatively and 
rigorously. 


III. SECURITY ANALYSIS 


A. System model 

To analyze the security of Fig. 2, we model Alice’s (Bob’s) 
system in Fig. 3(a). We model all the losses as a A/(l — A) 
beam splitter, i.e., the internal transmittance of Alice’s (Bob’s) 
local lab is A a (A^), which can be set accurately via VOA in 
Fig. 2. Each input pulse after the filter (F) is split into two 
via a BS: One (defined as the encoding pulse ) is sent to the 
Encoder for encoding, and the other (defined as the sampling 
pulse ) is sent to the ID for sampling. One might suppose that 
the PND of the encoding pulse could be easily estimated from 
the measurement result of the corresponding sampling pulse 
by using the random sampling theorem [58, 59]. However, 
this supposition is not true. Any input pulse, after the phase 
randomization, is in a Fock state. Therefore, in the case of 
a pair of encoding and sampling pulses originating from the 
same input pulse, the PNDs of the two pulses are correlated. 
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This restriction suggests that the random sampling theorem 
cannot be directly applied. 

We resolve the above restriction and analyze the security by 
introducing a virtual model in Fig. 3(b) [48]. For the imper¬ 
fect ID in Fig. 3(a), assuming that its efficiency is t/id < 1, we 
model the q/(l — q) BS and the imperfect ID as a q'/(l — q') 
BS and a perfect ID with q' = (1 — q)r] id- To ensure that 
an identical attenuation is applied to the encoding pulses in 
both models, we redefine the internal transmittance in the vir¬ 
tual model as: A' = q\/q f < 1. Moreover, in the virtual 
model, we introduce a 50:50 optical switch to realize the ac¬ 
tive sampling. The optical switch, which is different from a 
BS, is solely a sampling device, without any restriction on the 
correlation of the PNDs of the encoding pulses and the sam¬ 
pling pulses. The random sampling theorem can be applied. 
A crucial fact is that the internal losses in the actual model and 
the virtual model are identical. The upper and lower bounds 
of output PND estimated from the virtual model are therefore 
also valid for those of the actual model, i.e., these two models 
are equivalent in the security analysis, an equivalence that has 
been proved in [48]. 

In Fig. 3(b), we define m a ( n a ) as the photon number of the 
pulses that input (output) Alice. We also define the pulses that 
input Alice as 

• Untagged pulses: m a G [(1 - S a )M a , (1 + 5 a )M a ]\ 

• Tagged pulses: m a < (l-S a )M a orm a > (1 +5 a )M a . 

Here S a is a small positive real number, and M a is a large 
positive integer (which can be the average of the input photon 
numbers of the pulses received by Alice). The same defini¬ 
tions apply to Bob’s pulses with parameters {m^, Mf\. 

Note that {$ a ,£ 5 , M a , are chosen by Alice and Bob. 

From the random sampling theorem, we draw the follow 
proposition [47]. 

Proposition 1. Consider that 2 k pulses are sent to Alice 
from an untrusted source, and, of these pulse, V a pulses are 
untagged. Alice randomly assigns each pulse a status as ei¬ 
ther a sampling pulse or an encoding pulse with equal proba¬ 
bilities. In total, V* sampling pulses and Vf encoding pulses 
are untagged. The probability that Vf < V* — ‘leak satisfies 

P{v: < V a s - 2 e a k) < eM-kel), (D 

where e a is a small positive real number chosen by Alice (i.e. 
the error probability due to statistical fluctuations). That is, 
Alice can conclude that Vf > V a s — e a k with confidence level 
r a > 1 - exp {-ke 2 a ). 

The proof is shown in Appendix A. This proposition shows 
that Alice can estimate Vf from U a s . Bob’s untagged pulses 
have the same property. Furthermore, if we define A a (A 5 ) 
as the average probability that a sampling pulse belongs to 
a tagged sampling pulse in the asymptotic case, then Alice 
(Bob) can conclude that there are no fewer than (1 — A a — e a )k 
((1 — A b~Cb)k) untagged encoding pulses with high fidelity. 


B. Untagged pulses 

In our analysis, Alice and Bob focus only on the untagged 
pulses for key generation and discard the other pulses. In 
practice, since Alice and Bob cannot perform quantum non¬ 
demolishing (QND) measurement on the photon number of 
the input pulses with current technology, they do not know 
which pulses are tagged and which are untagged. Conse¬ 
quently, the gain and the quantum bit error rate (QBER) of 
the untagged pulses can not be measured directly. Alice and 
Bob can measure only the overall gain and the QBER. How¬ 
ever, from Proposition 1, they know the probability that a cer¬ 
tain pulse is tagged or untagged. Hence, they can estimate the 
upper and lower bounds of the gain and the QBER of the un¬ 
tagged pulses. Furthermore, in the case that an untagged pulse 
inputs Alice or Bob in Fig. 3(a), then the conditional probabil¬ 
ity that n a (rib) photons are emitted by Alice obeys a binomial 
distribution, which can be controlled by Alice’s (Bob’s) inter¬ 
nal transmittance. Alice (Bob) can also estimate the bounds 
of such a binomial distribution. The specific bounds for the 
gain, QBER and the PND of the untagged pulses are shown in 
Appendix B. Using these bounds, we can prove the security 
of MDI-QKD with an untrusted source quantitatively. 


C. Key rate 

The secure key rate of MDI-QKD with an untrusted source 
in the asymptotic limit of infinite long keys is given by 

R > (1 - Aa - Ca)(l - A 6 - €„)<&[ 1 - H 2 (Wl)] 

where Q\ x and e* are, respectively, the lower bound of the 
gain in the rectilinear (Z) basis and the upper bound of the er¬ 
ror rate in the diagonal (X) basis, given that both Alice and 
Bob send single-photon states in untagged pulses; H 2 is the 
binary entropy function given by H 2 (x)=—x log 2 (x) — (1 — 
x) log 2 (l— x) \ Qg and denote, respectively, the over¬ 
all gain and QBER in the Z basis when Alice and Bob use sig¬ 
nal states; f e > 1 is the error correction inefficiency function 
(in simulations, we consider f e = 1.16). Here we use the Z 
basis for key generation and the X basis for testing only. In 
practice, Q g and E^ are directly measured in the exper¬ 
iment, while Q\ x and e* are estimated from the decoy states. 


D. Decoy states 

In the previous decoy-state protocols for MDI-QKD [22, 
24-26, 28], the key assumption is that the yield, Y naUb 2 , re¬ 
mains the same for signal or decoy states. However, this as- 


2 Tn a n b is defined as the conditional probability that Charlie has a coinci¬ 
dent event given that Alice (Bob) sends out an n a (n^) photon signal. 
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(a) (b) 


FIG. 3: (a) The actual model for Fig. 2. All the internal loss of Alice/Bob is modeled as a A/(l — A) beam splitter, (b) An equivalent virtual 
model. The loss is modeled as a A'/ (1 — X') beam splitter, q — rjm (1 — q), where r]ir> < 1 is the efficiency of the imperfect intensity detector. 
A' = qX/q . The virtual model, which has features from (a), is used to analyze the security of (a). 


sumption is no longer valid in the case that the source is con¬ 
trolled by Eve, because Eve knows both the input photon num¬ 
ber m a ( mi ,) and the output photon number n a (rib). In this 
case, the parameter that is the same for any signal and decoy 
state is Y marnbnanb 3 * * . Similarly, the conditional QBERs are 
also different if Eve controls the source. 

Therefore, in MDI-QKD with an untrusted source, Eve is 
given significantly greater power, since she can control both 
the input and the output of Alice’s and Bob’s lab. The decoy 
state analysis is more challenging. However, rather surpris¬ 
ingly, it is still possible to achieve the unconditional security 
quantitatively, even if the source is given to Eve [47]. This 
is so mainly because we are focusing only on the untagged 
pulses, whose PND, gain and QBER can be bounded. There¬ 
fore, we are still able to estimate Q\ x and e*. Such an estima¬ 
tion can be completed by using either the numerical method 
based on linear programming or the analytical method. The 
details of this estimation are shown in Appendix C. 


IV. NUMERICAL SIMULATION 


3 Ym a m b n a n b is defined as the conditional probability that Charlie has a 

coincident event given that the two pulses enter Alice’s and Bob’s lab with 

photon number m a and mb, and they emitted from Alice’s and Bob’s lab 

with photon number n a and rib. 


Vd 

Y 0 

ea 

f 

a 

20% 

3 x 10" 6 

0.1% 

75 MHz 

0.21 dB/km 

t\id 

&ID 

q 

e 

k 

0.7 

6.55 x 10 4 

0.01 

10 -10 

3.5 x 10 13 


TABLE I: List of practical parameters for simulation. The detection 
efficiency r]d and the dark count rate Y 0 are from commercial ID-220 
single photon detectors [4]. The channel misalignment error ed, the 
system repetition rate /, the total number of pulses k and the fiber 
loss coefficient a are from the 200 km MDI-QKD experiment [34]. 
The efficiency of the intensity detector (ID) 77 /d , the noise of the ID 
c7 id , and the beam splitter ratio q are from [48]. e is the security 
bound considered in our finite-key analysis. 

The details of the simulation techniques, including the 
model for the imperfect intensity detector, the tagged ratio A 
and the finite-data statistics, are shown in the Appendix D. We 
use the experimental parameters, listed in Table I for simula¬ 
tion. For S = 8 a = 5b, a choice for it that is too large or too 
small will make the security analysis less optimal [48]. We 
find numerically that S = 0.01 is a near an optimal value. In 
addition, we assume that the source in Charlie is Poissonian 
centered at M c photons per optical pulse. In this bi-directional 
structure, Alice’s and Bob’s average input photon numbers 
(M a and Mb) depend on the channel loss and M c . The gain 
and the QBER are derived using the channel model presented 
in [25]. 

The simulation results with an infinite number of signals 
are shown by the red curves in Fig. 4. We consider two decoy 
states: we fix the vacuum state at cc = 0, the weak decoy state 
at v = 0.01, and optimize the signal state fi for different dis¬ 
tances. With M c = 10 7 (Charlie’s mean photon number per 
pulse), the case with an untrusted source (red dotted curve) is 
similar to that with trusted sources (red dashed curve) at short 
distances. The condition changes at long distances. This oc¬ 
curs because at long distances, due to the channel loss, the 
photon numbers arrived at by Alice and Bob will be much 
smaller than M c . The lower input photon number increases A 
and the estimate of the gain of the untagged pulses is sensitive 
to the value of A (see Eq. (Bl)). This is so especially when 
the measured overall gain is small over long distances. In con¬ 
trast, over short distances, the gain is significantly greater than 
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FIG. 4: (Color online) Simulation results. Red curves are for an infi¬ 
nite number of signals. M c denotes the mean of the photon number 
(per pulse) of Charlie’s laser pulses. With M c m 10 9 and practi¬ 
cal imperfections, MDI-QKD with an untrsuted source can tolerate 
about 195 km distance. At the distances below 180 km, the key rates 
for the two cases (with trusted and untrusted source) are almost over¬ 
lapping. Blue curves are for a finite number of signals. Finite data 
size reduces the efficiencies for both cases. MDI-QKD with an un¬ 
trusted source can still tolerate over 70 km fiber with detectors of 
20% efficiency. 


A; therefore, the key rates for the two cases are almost over- 
lapping. 

A natural scheme for the improvement of the performance 
of MDI-QKD with an untrusted source is the use of a brighter 
laser. Indeed, the performance is improved substantially by 
setting M c = 10 9 (red solid curve). The two cases (with 
trusted sources and with an untrusted source) have similar re¬ 
sults. Note that sub-nanosecond pulses with ~ 10 9 photons 
per pulse can be easily generated with directly modulated laser 
diodes. For instance, if the wavelength is 1550 nm and the 
pulse repetition rate is 75 MHz, the average laser power of 
Charlie’s source is ~ 9.6 mW. This laser power can be pro¬ 
vided by many commercial pulsed laser diodes. 

The simulation results with a finite number of signals are 
shown by the blue curves in Fig. 4. We choose the confi¬ 
dence level r for the statistical fluctuations of the estimation 
of the number of untagged pulses (see Eq. (1)) as r a = = 

r > 1 — 10 -7 , which suggests that e a = = 3.03 x 10 -7 . 

We set M c = 10 9 . We can see that finite data size clearly 
reduces the efficiencies: first, the statistical fluctuation for 
decoy-state MDI-QKD becomes important, and this factor re¬ 
duces the performance of both the trusted source and the un¬ 
trusted source. Second, e a and e 5 are non-zero in this finite 
data case, and thus the estimate of the gain of the untagged 
pulses becomes not tight (see Appendix D) 4 . In the finite data 
setting, our protocol can tolerate about 70 km fiber with stan¬ 


4 That is, due to statistical fluctuations, the proportion of tagged pulses is 
increased. Our analysis is conservative in that Eve can fully control the 
tagged pulses, which makes the security bound worse than MDI-QKD with 
trusted sources. 


dard commercial detectors of 20% efficiency. With state-of- 
the-art detectors [60], however, the protocol can easily gener¬ 
ate keys over 200 km fiber. 


V. DISCUSSION 

In summary, we propose a MDI quantum network with an 
untrusted source. In this network, the complicated and expen¬ 
sive detectors, together with the laser source, can be provided 
by an untrusted network server that can be shared by all users; 
that is, a star-type MDI quantum access network can be read¬ 
ily realized on the basis of our proposal for several quantum 
information processing protocols [36-40]. Our work proves 
the feasibility of such a realization. Moreover, we present a 
complete security analysis for MDI-QKD with an untrusted 
source. Our analysis and simulation consider various practi¬ 
cal imperfections, including additional loss introduced by the 
bi-directional structure, the inefficiency and noise of the inten¬ 
sity monitor, and the finite data-size effect. Furthermore, our 
protocol is practically secure and ready for implementation. 
An experimental demonstration is in progress. 

It is worthy to mention that one practical issue associated 
with Fig. 2 is the temporal matching. For instance, the two 
channels - Alice-Charlie and Bob-Charlie - may be differ¬ 
ent in practice, then the arrival times are mismatch when the 
pulses return back to Charlie. One solution, as demonstrated 
already in [30], is to introduce addition fibers inside either Al¬ 
ice or Bob to match the channel length. Note that, similar to 
the conventional plug&play system [4], in our proposal, each 
of Alice and Bob should hold certain length of fiber spool as 
the optical buffer. Consequently, Alice/Bob can control the 
length of this fiber buffer to match the channel difference. 
Furthermore, the feedback control techniques, demonstrated 
in [34] could also be used to ameliorate temporal-matching 
issues. 

There are still several imperfections that are not analyzed 
in our paper, such as the source flaws in the state prepara¬ 
tion [54], the non-ideality in the optical filter, and the im¬ 
perfections in the electronics of the classical intensity detec¬ 
tor [52]. These questions lead to an interesting future project, 
that is, deriving a refined analysis that includes all possible 
(small) imperfections and side channels in users. For instance, 
Ref. [61] has reported comprehensive analysis against the Tro¬ 
jan horse attack. We expect that this research direction will 
move an important step towards unconditionally secure com¬ 
munication networks that are also practical. 
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Appendix A: Proof of Proposition 1 


We follow [48] to prove Proposition 1. Among all the V 
untagged pulses, each pulse has probability 1/2 to be assigned 
as an untagged encoding pulse. Therefore, the probability that 
V a e = v obeys a binomial distribution. Cumulative probability 
is given by [59] 


„ /Trp V — 2ek. . , 4e 2 k\ 

P(Ya < - 2 -^ = V ^~ eXp (-—) 

For any v £ [0, 2k], 2k/v > 1. Therefore, we have 


V — 2 fh 

P(v a e < ——\V e [0,2 k\) < exp (-ke 2 ). 


Since V G [0, 2k] is always true, the above inequality re¬ 
duces to 


V — 2 fh 

P(v: < ---) < exp(—fee 2 ). (Al) 


numbers of the untagged pulses concentrated within a narrow 
range, this makes it much easier to analyze the security. 

In practice, since Alice and Bob cannot perform quantum 
non-demolishing measurement on the photon number of the 
input pulses with current technology, they do not know which 
pulses are tagged and which are untagged. As a result, the 
gain Q and the quantum bit error rate (QBER) E of the un¬ 
tagged pules cannot be measured experimentally. Here Q is 
defined as the conditional probability that Charlie has a co¬ 
incident event given that both Alice and Bob send out an un¬ 
tagged pulse and Alice and Bob use the same basis; E is de¬ 
fined as error rates inside Q. 

In experiment, Alice and Bob can measure the overall gain 
Q e and the overall QBER E e . The subscript e denotes the 
experimentally measurable overall properties. Moreover, they 
know the probability that certain pulse to be tagged or un¬ 
tagged from the above analysis. Although they cannot mea¬ 
sure the gain Q and the QBER E of the untagged pulses di¬ 
rectly, they can estimate the upper bounds and lower bounds 
of them. The upper bound and lower bound of Q are: 


By definition, we have 

v = K e + V?- (A2) 

Substituting Equation (A2) into Equation (Al), we have 

P(V a e < V a s - ek) < exp (-ke 2 ). □ (A3) 

The above proof can be easily generalized to the case where 
for each pulse sent from the untrusted source to Alice/Bob, 
Alice/Bob randomly assigns it as either an encoding pulse 
with probability /3, or a sampling pulse with probability 1 — /?. 
Here /3 G (0,1) is chosen by Alice/Bob. It is then straightfor¬ 
ward to show that 

P[V° ^ TZTpW “ 2ek)] - e M~Me 2 /3 2 ). (A4) 


Appendix B: Properties of untagged pulses 


Q<Q = 
Q>Q = 


Qe 


(l-A 

max(0, 


a e a)(l A b Cfr) 

Q e -1 + (1 -A a -e a )(l-A b - 
(1 - A a - e a )(l - A b - e b ) 




)• 


(Bl) 


The upper bound and lower bound of E • Q can be estimated 
as 


E-Q = 


(l-A 


E • Q = max(0, 


Qe^e 

a ~ 0(1 ~ - e b ) ’ 

Q e E e — 1 + (1 — A a — Q(1 — Afr 
(1 A a e a)(l A b e b ) 


O 


)• 


(B2) 

Moreover, suppose that an untagged pulse with input pho¬ 
ton number m a G [(1 - S a )M a , (1 + S a )M a } inputs Fig.3(a) 
of main-text, the conditional probability that n a photons are 
emitted by Alice given that m a photons enter Alice obeys bi¬ 
nomial distribution as: 


The main concept to analyze the properties of the untagged 
pulses follows the analysis for plug&play QKD presented 
in [47]. Both Alice and Bob will focus on the (1 — A a — e a )k 
and (1 — A b — e b )k untagged pulses for key generation and 
discard the other pulses. This provides a conservative way 
to analyze the security, and also, owing to the input photon 


P(n a \m a ) = (A„</)"«(1 - \ a q) m “- n ° (0 < A a < 1) 

(B3) 

For Alice’s untagged bits, we can show that the upper 
bound and lower bound of P(n a \m a ) are: 


P{n a \m a ) = < 


Pjng\rria ) = < 


' (i _ A a q) (1 ~ 5a)Ma , 
(1+ ™ 0 )Ma )( A a9)”“( 1 - X a q) {1+Sa)Mo 

u 

o, 


if n a = 0; 

if 1 < n < (1 + 5 a )M a ; 
if n a > (1 + S a )M a ; 

if n a = 0; 

if 1 < n < (1 - 5 a )M a ; 
if n a > (1 — S a )M a ; 


(B4) 
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under the condition: (1 + S a )M a X a q < 1 . This condition 
suggests that the expected output photon number of any un¬ 
tagged pulse should be lower than 1. This is normally a basic 
condition in decoy-state BB84 and MDI-QKD based on weak 
coherent pulses. For example, for M a = 10 7 and q = 0.01, 
Alice can simply set A a = 10 -6 so that the expected output 
photon number is 0 . 1 . 

Appendix C: Decoy state analysis 

Various decoy-state methods have been proposed for MDI- 
QKD [22, 24, 28]. Among all these decoy state protocols, 
the two decoy state protocol has been shown to be the op¬ 
timal one [28], it has already been used in all experimental 
MDI-QKD implementations reported so far [30-35]. In this 
protocol, there are three states: Alice’s signal state /i a (for 
which the internal transmittance is X%), Alice’s two weak de¬ 
coy states v a and uo a (for which the internal transmittance is 
Aa < Ki < A^). In this work, we focus on the symmetric 
case where the two channel transmissions from Alice to Char¬ 
lie and from Bob to Charlie are equal. In symmetric case, the 
optimal intensities for Alice and Bob are equal [28]. Hence, 
to simplify our discussion, we assume that equal intensities 
are used by Alice and Bob, i.e., 7 a = 7&=7 with 7 G {/i, z/, cc}. 
Also, we consider that only the signal state is used to generate 
the final key, while the decoy states are solely used to test the 
channel properties. 

In previous decoy-state protocols for MDI-QKD [22, 24, 
28], the key assumption is that the yield of n a and n b photon 
state Y naUh remains the same, whatever signal states or decoy 
states are chosen by Alice and Bob, e. g-XTn^XiT^-Here 
Yn^n b is defined as the conditional probability that Charlie has 
a coincident event given that Alice (Bob) sends out an n a (n b ) 
photon signal and they both chose signal state by setting inter¬ 
nal transmittances A^ and X b . This is true because in previous 
analysis, Eve knows only the output photon numbers n a and 
n b of each pulse. However, this assumption is no longer valid 
in the case that the source is controlled by Eve. Because Eve 
knows both the input photon number m a (m b ) and the output 


photon number n a (n b ) when she controls the source. There¬ 
fore she can perform an attack that depends on the values of 
both m and n. In this case, the parameter that is the same 
for any signal and decoy states is E mambnan& , the conditional 
probability that Charlie has a coincident event given that the 
two pulses enter Alice’s and Bob’s lab with photon number 
m a and m b , and they emitted from Alice’s and Bob’s lab with 
photon number n a and n b . Similarly, the conditional QBERs 
are also different: if Eve controls the source. 

The parameter that is the same for the signal state and the de¬ 
coy states is c rnaTnbrianb . 

In summary, in MDI-QKD, if the source is assumed to be 
trusted, we have: 

1 riant, 1 n a n b 
n a n b ° n a n b * 

If the source is accessible to Eve (i.e., the source is untrusted), 
we have: 

Y^n — y uu 

1 m a mbn a nb 1 m a mbn a nb 

pUU _ 

m a mbn a nb m a mbn a nb’ 

The dependence of Y naUb and e naUb on different states is a 
fundamental difference between MDI-QKD with an untrusted 
source and MDI-QKD with trusted source. Therefore, in 
MDI-QKD with an untrusted source, Eve is given signifi¬ 
cantly greater power, and the decoy state analysis is much 
more challenging. However, rather surprisingly, it is still pos¬ 
sible to achieve the unconditional security quantitatively even 
if the source is given to Eve. This is mainly because we are 
only focusing on the untagged pulses, whose photon number 
distribution, the gain and the QBER can be hounded via Eqs. 
(B4), (Bl), (B2) respectively. Therefore we are still able to 
estimate Q\ x and e*. Such estimation can be completed by 
using either numerical method based on linear programming 
or analytical method. 

In a MDI-QKD implementation with an untrusted source, 
by performing the measurements for different intensity set¬ 
tings, we can obtain: 


m a — {1+8 a) M a m b — (1 +8b)M b oo oo 

b = Pin( m a)Pin( m b)P la {n a \m a )P^ h (n b \m b )Y marnhrianb 

m a = {l—8 a )M a mb = {l—8b)Mb na =0 0 

r n7'a = {l+8a)M a mb={l+8b)Mb oo oo 

E E E E Pin {jtla)Pin ipib) P^ a {jla \ r ^ j a)P^ h {^b\^b^Y maTnhnanb C rriaVribnanb 

m a = (l—8 a )M a m b ={l-8 b )M b n a =0 n b =0 


(Cl) 


where x C {X, Z} denotes the basis choice, y a (y b ) denotes 
Alice’s (Bob’s) intensity setting, Q* alb (E* ) denotes the 

gain (QBER); where Pi n {m a ) is the probability that the input 
signal contains m a photons (i.e., the ratio of the number of 
signals with m input photons over fc), P la ( n a \m a ) is the con¬ 


ditional probability that the output signal contains n a photons 
given the input signal contains m a photons, for state y a and is 
given by Eq. (B3). 

Q\ x for 7 a = /i and 7 b — h can be written as 
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7Ti a — (l _ l _ <5o)-^^a TYlb — (l^^i>)-^t 

$n= E E Pin{rn a )P in {m b )P^(l\m a )P^(l\rn b )Y m 

a mb 11 

m a = (l-(5 a )M a rab = (l-<5f,)M b 


ra a = (l+<5 a )M a m b = (l+(5f,)M b 

e e P in cl) Pin {^b)^rn a TO5 11 

nia = (1 <E)-^a PP'b = (1 $b)-Mb 


pM pM cZ 
■*11 m a ■*! | m 11 5 


(C2) 


where the bounds of the probabilities are from Eqs. (B4). 1. Numerical approaches 

Thus, the estimation on Q\ x is equivalent to the estimation 
of Sf l9 and Eq. (Cl) can be written as 


Q* aJb = E p7 “KI m a)F nb (nb\m b )S^ a „ b 

n a ,ni,= 0 

oo 

E P^(n a \m a )P^(n b \m b )SX anb eX anb 

P'a l'P'b — 0 

(C3) 


Ignoring statistical fluctuations temporally, the estimations 
on S X1 and e*, from Eq. (C3) are constrained optimisation 
problems, which is linear and can be efficiently solved by lin¬ 
ear programming (LP). The numerical routine to solve these 
problems can be written as: 


min :6f l5 

s.t. :0 < S% anb < 1 ,withn a ,n b e <S cut ; 

_ (1 - Aa) (1_5 “ )M “, if n a = 0; 

P(n a \m a ) = { ( (1+ l“ )Mo )^" a (l - V) (1+,5 “ )Mo_ " a , if 1 < n < (l + S a )M a ; 

0, ifn„ > (l + d a )M a ; 

(1-X a ) {1+Sa)Ma , if n a = 0; 

P(ng\m a ) = ^ ( (1 “t )Mo ) A "“(l- A a) (1 " 5o)Ma ""% if 1 < n < (1 - S a )M a ; 

0, if n a > (1 - S a )M a - 

OjaTb ~ 1 + E -P 7a (^q|ma)-P 7, ’( n bl TO b) < E p7 ° («a|m a )P 7!) (n b |m b )5^ ani) < Q 


z 

7a 7b 


P'a tP'b cut 


n,meS cut 


Max :e^, 

si. :0 < S* anb < 1,0 < Sn a n b e n a n b < 1 ,withn a ,n b e S cut 

_ (1 - A a q)P-^)M a5 if n a = 0; 

P(n a \m a ) = \ ( ( 1 + l“ )Ma )(Ao9)"°(l - X a q) < ' 1+5a)Ma ~ na , ifl < n < (l + S a )M a ; 

0 , ifn a > (l + d a )M a ; 

(1 - X a q) {1+Sa)Ma , if n a = 0 ; 

P(n a |m a ) = ^ ( ( 1 _ ^“ )Ma )(A a g) n “(l - if 1 < n < (1 - 6 a )M a ; 

0, if n a > (1 - S a )M a \ 

Q^a lh ~ 1 + E -P 7a (^al TO a)- p76 (»bl TO b) < E pla ( n a\rn a )P lb {n b \rn b )Sn a n b <Q 

P'Ci cut n,meS cut 

~ 1 + E P la {n a \m a )P lb (n b \rn b ) < ^ P la (n a \m a )P^(n b \m b )S* anb e* anb < 

n a ,n b eS cut n,meS cut 


X 

7a 7b 


where <S cut denotes a finite set of indexes n a and n^, with prefixed values of A cut > 2 and NB cut > 2 . In our simu- 

^cut — \jiai Tib C N with n a ^ -Tcut 3 .nd njj ^ -^cut}? for 
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lations, we choose A cut = 7 and B cut = 7, as larger A cut 
and B cut have negligible effect on decoy-state estimation. 
More discussions can be seen in [22]. Here, 7 G 
for two decoy-state estimation. Notice that statistical fluctu¬ 
ations can be easily conducted by adding constraints on the 
experimental measurements of Q* alh and E* . These addi¬ 
tional constraints can be analyzed by using statistical estima¬ 
tion methods, such as standard error analysis [22] or Chernoff 
bound [26]. A rigorous finite-key analysis can also be imple¬ 
mented by following the technique presented in [26]. 

2. Analytical approaches 

A rigorous estimation is to solve the equation set of 
Eq. (C3) by using the constrains on the binomial probability 
distributions given by Eq. (B4). The analytical expression for 
such an estimation is highly complicated. So, we only use nu¬ 
merical method presented in last section to study this precise 
estimation. Here, for the analytical expression, we present a 
relatively simple analytical method by using the Poisson limit 


theorem [58]: 

Claim: Under the condition that m 00 and Xq -» 0, 
such that /i = mXq, then 

M (A<j)"(l - Xq) m ~ n -»■ exp(- M )^ (C4) 
\n J n\ 

The condition in this claim is easy to meet in an actual 
experiment as m can be larger than 10 6 and Xq is normally 
lower that 10 “ 7 in a practical setup. The intuition behind this 
approximation is that we applied heavy attenuation on the in¬ 
put pulses in Alice and bob. The input pulse has more than 
^ 10 6 photons, while the output pulse has less than one pho¬ 
ton on average. The internal attenuation of Alice’s local lab 
is greater than -60dB. We know that heavy attenuation will 
transform arbitrary photon number distribution into a Poisson- 
like distribution. A qualitative argument on this argument for 
the plug-and-play structure has been provided in [9]. From 
the approximation, Eq. (C3) can be estimated using the simi¬ 
lar methods presented in [28]. 

The lower bound of is given by 


cZ = _1_ 

(z, 2 -cu 2 )(z,-cu)(Q2 


X [0 - cu 2 )(/i - uj)(Q^e 2u + Quu e - Qloj eV+UJ - Qlv eUJ+U )~ 


p 2m 






Q 


7a p h+lo 


Q. 




OJfl 


)]• 


The upper bound of S'* e* is given by 


cx _ - 1 - 

— ( \0 
[v — UJ) Z 


x [e 2v Q*E$, + e^QZuEX, - e^Q^E*, - £&,]. 


Appendix D: Simulation techniques 

In simulation, the gain and the QBER are derived using 
the channel model presented in [25]. We consider two decoy 
states: v = 0.01 and uo = 0 , and we optimize the signal state 
fi for different distances. We choose f e = 1.16 


1. Imperfect intensity detector 

There are two major imperfections of the intensity detec¬ 
tor (ID): inefficiency and noise. The inefficiency tjid can 
be easily modeled as additional loss by using a beam split¬ 
ter. The noise of the ID is another important imperfection. 
In a real experiment, the ID may indicate a certain pulse 
contains m! photons. Here we refer to m! as the measured 
photon number in contrast to the actual photon number m. 


However, due to the noise and the inaccuracy of the inten¬ 
sity monitor, this pulse may not contain exactly m' pho¬ 
tons. To quantify this imperfection, following [48], we in¬ 
troduce a term, called conservative interval We then de¬ 
fine V_ s as the number of sampling pulses with measured pho¬ 
ton number m' G [(1 — S)M' + <7 (1 + 5)M' — ^], where 
M' = Mr] id (1 — q). One can conclude that, with confidence 
level r c = 1 — c(c), the number of untagged sampling pulses 
ys > y> 3 One can make c(q) arbitrarily close to 0 by choos¬ 
ing a large enough q. That is, for one individual pulse, the 
probability that \m — m'\ > q can be negligible. 

In practice, various noise sources, including thermal noise, 
shot-noise, etc, may exist. Here, in simulation, we consider 
a simple noise model where a constant Gaussian noise with 
variance cr 2 D is assumed. That is, if m photons enter an effi¬ 
cient but noisy ID, the probability that the measured photon 
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number is m' obeys a Gaussian distribution 


P(m'\m) 


1 


&IM 


s/2tt 


exp[- 


(m — m ') 2 


(Dl) 


Hence, the measured photon number distribution P(m') has 
a larger variation than the actual photon number distribution 
P(m) due to the noise. More concretely, if the input pho¬ 
ton numbers obeys a Gaussian distribution centered at M with 
variance cr 2 , the measured photon numbers also obeys a Gaus¬ 
sian distribution centered at M', but with a variance a 2 + a 2 D . 


2. The tagged ratio A 

For any S G [0,1] and the imperfect ID discussed above, we 
can calculate A from the measured photon number m! by 

A = 1 - [$(M' + SM' + <Q - $(M' - SM' - <Q)], (D2) 

where <f> is the cumulative distribution function of the photon 
number for the measured pulses [58]. Assuming that the sys¬ 
tem is based on a coherent source by Charlie, which means 
that the input photon number m obeys Poisson distribution. It 
is natural to set M to be the average input photon number. In 
numerical simulation, for ease of calculation, we approximate 
the Poisson distribution of the input photon number M as a 
Gaussian distribution centered at M with variance a 2 = M. 
This is an excellent approximation because M is very large 
(10 7 or larger) in all the simulations presented below. Then, 
the measured photon number m! follows a Gaussian distribu¬ 
tion centered at M' = Mpj d( 1 — q) with a variance M + a 2 B . 
The Gaussian cumulative distribution function is given by [58] 

*»(*) — b + e V(M^? D) )l’ <D3) 

where erf(x) = f Q r e~ f2 dt is the error function. Notice 
that erf(x) is an odd function, from Eqs. (D2) and (D3), we 
have 


A = 


1 — erf( 


SM' + 

\/2 M + 2a 2 B 


(D4) 


In simulation, for S = S a = S^, a choice for it that is too 
large or too small will make the security analysis less opti¬ 
mal [48]. We find numerically that S = 0.01 is a near an 
optimal value. 


3. Finite-data statistics 

A real-life QKD experiment is always completed in finite 
time, which means that the length of the output secret key is 
obviously finite. Thus, the parameter estimation procedure in 
QKD needs to take the statistical fluctuations of the differ¬ 
ent parameters into account. We assume that Charlie’s source 
generates 2k pulses in an experiment. The finite data effect 
has two main consequences: First, the finite data size will in¬ 
troduce statistical fluctuations for the estimation of the num¬ 
ber of untagged pulses. If the confidence level r a for Propo¬ 
sition 1 is expected to be close to 1, e a has to be positive. 
More concretely, for a fixed 2k, if the estimate on the un¬ 
trusted source is expected to have confidence level no less 

than r a , one has to choose e a as e a = In 

simulation, we choose the confidence level r (see Proposi¬ 
tion l)asr a = r\) = r > 1 — 10 -7 , which suggests that 
e a = Q> = 3.03 x 10“ 7 . Since e a and 65 are non-zero in 
this finite data case, the estimate of the gain of the untagged 
pulses becomes not tight at long distances. That is, due to 
statistical fluctuations, the proportion of tagged pulses is in¬ 
creased at long distance. Our analysis is conservative in that 
Eve can fully control the tagged pulses, which makes the secu¬ 
rity bounds worse than MDI-QKD with trusted sources. This 
is the reason why MDI-QKD with an untrusted source is not 
as good as MDI-QKD with trusted sources in the finite-data 
case, which has been shown in the Fig. 4 of main text. 

Second, in decoy state MDI-QKD, the statistical fluctua¬ 
tions of experimental outputs have to be considered. The tech¬ 
nique to analyze the statistical fluctuations can be analyzed 
by using statistical estimation methods, such as standard er¬ 
ror analysis [22] or Chernoff bound [26] . In this paper, we 
analyze the statistical fluctuations by using the standard error 
analysis method presented in [22]. In simulation, we choose 
e = 10“ 10 as the overall security bound. 
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